What Happened?
Amnesty International, with assistance from Forbidden Stories, has uncovered a wave of “zero-click” and other spyware attacks that have compromised thousands of iPhones and Android mobile devices. These spyware attacks have targeted journalists, government officials, and activists across the globe, using Israeli technology firm NSO Group’s highly sophisticated and military-grade Pegasus spyware. While many have focused on the use of the Pegasus spyware systems to collect personal data of targeted individuals who are deemed to be a threat to certain governments, the spyware may also pose privacy and security risks to all users of mobile devices.

What is the Magnitude of the Pegasus Security Threat?
Pegasus spyware system attacks have been traced back to 2014. However, the latest series of discoveries shining light on the Apple iOS mobile system vulnerability has been especially concerning from a privacy perspective. The Pegasus spyware attacks have been found on iPhone 11 and 12 (and possibly more) models equipped with the software update iOS 14.6, along with various Android mobile devices. The magnitude of the security compromise within iOS and Android mobile devices from the Pegasus spyware is under investigation, and the necessary steps to identify and address security risks have not yet been released.

What is Pegasus Spyware?
The Pegasus spyware was developed by the NSO Group and was intended to be used by government entities across the world to monitor threat actors. Once the NSO Group licenses the Pegasus systems to a government entity, there is no monitoring by the NSO Group to ensure the lawful use of the Pegasus spyware systems.  The use and supervision of the spyware systems in general remains largely unregulated.

Pegasus spyware has many reported capabilities, including the ability to remotely take over a phone’s camera and microphone, to listen to phone calls, to take screenshots, to record keystrokes, to read text messages and emails, and to access a user’s contacts and browser history.  The full extent of the ability of Pegasus to exploit devices is still being examined.

The Pegasus spyware systems have created such a stir in the political, journalism, and security and privacy sectors that the Pegasus Project has been developed. The Pegasus Project involves over 80 journalists from 17 media organizations, and other organizations (e.g., Amnesty International) reporting and investigating the use of the spyware for global transparency.

What Should You Do?

Some security updates have been issued, and more are expected.  Until more comprehensive solutions are published, mobile device users who are worried that their device may be compromised by the Pegasus spyware may want to research the Mobile Verification Toolkit (MVT) created by Amnesty. This software is available from GitHub, and analyzes records of iOS systems and app databases from iPhones to look for potential signs of compromise. MVT also has the capability to analyze and compare data from Android devices, albeit perhaps not as effectively due to the lack of forensic data available within individual Android device files.

Will Davis, a law clerk with Fey LLC and a law student at the University of Florida-Levin College of Law, contributed to this post. 

Laura Clark Fey, Privacy Law Specialist (IAPP), is the principal at Fey LLC.

Print Friendly, PDF & Email